Open Stack

On Mon, May 29, 2017 at 9:02 PM, Jeremy Stanley <fungi at yuggoth.org> wrote:
> On 2017-05-29 15:43:43 +0200 (+0200), Emilien Macchi wrote:
>> On Wed, May 24, 2017 at 7:45 PM, Ben Nemec <openstack at nemebean.com> wrote:
> [...]
>> > Emilien, I think we should create a tripleo-coresec group in
>> > launchpad that can be used for this. We have had
>> > tripleo-affecting security bugs in the past and I imagine we
>> > will again. I'm happy to help out with that, although I will
>> > admit my launchpad-fu is kind of weak so I don't know off the
>> > top of my head how to do it.
>>
>> That or re-use an existing Launchpad group used by OpenStack VMT?
>
> The OpenStack VMT doesn't triage bugs for deliverables aside from
> those tagged with vulnerability:managed in governance. For those we
> recommend private security bugs only be automatically shared with
> the openstack-vuln-mgmt team in LP, and then we manually subscribe
> something-coresec to the report once we're sure it was reported
> against the correct project. For deliverables without VMT oversight,
> it makes sense to have private security bugs automatically shared
> with those something-coresec teams directly.
>
> https://governance.openstack.org/tc/reference/tags/vulnerability_managed.html

I created https://launchpad.net/~tripleo-coresec

With me (Pacific Time soon), shardy (Europe), bnemec (East coast) and
fungi (East coast) for now. If we feel like we need more people we'll
think about it.
I'll explore Launchpad to see how we can use this group to handle Security bugs.

Thanks,

> --
> Jeremy Stanley
>
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>



-- 
Emilien Macchi